Overview of IT Audit IT risk and controls IS Audit process

Assurance engagement
An engagement in which a practitioner

expresses a conclusion designed to enhance the degree of confidence of the intended users other than the responsible party about the outcome of the evaluation or measurement of a subject matter against criteria. (Handbook of ISA; IFAC)

Code of Professional Ethics

ISACA sets forth this Code of Professional Ethics to

guide the professional and personal conduct of members of the Association and/or its certification holders. Members and ISACA Certification holders shall: 1.Support the implementation of, and encourage compliance with, appropriate standards, procedures and controls for information systems.

Code of Professional Ethics

2.Perform their duties with due diligence and

professional care, in accordance with professional standards and best practices. 3.Serve in the interest of stakeholders in a lawful and honest manner, while maintaining high standards of conduct and character, and not engage in acts discreditable to the profession.

Code of Professional Ethics

4.Maintain the privacy and confidentiality of

information obtained in the course of their duties unless disclosure is required by legal authority. Such information shall not be used for personal benefit or released to inappropriate parties. 5.Maintain competency in their respective fields and agree to undertake only those activities, which they can reasonably expect to complete with professional competence.

Code of Professional Ethics

6.Inform appropriate parties of the results of work

performed; revealing all significant facts known to them. 7.Support the professional education of stakeholders in enhancing their understanding of information systems security and control. Failure to comply with this Code of Professional Ethics can result in an investigation in to a members or certification holders conduct and, ultimately, in disciplinary measures.

Auditing
Evaluation
Organization System Process Project Product

Performed by
Competent Independent Objective

Issue report

Why do we plan?
To improve effectiveness
Enhance the chance of success

To improve efficiency
Achieve the best result with the least resources

What should we consider in planning an IS Audit?

Risk Controls Technological updates Business needs Auditing techniques

How do we plan (Audit planning process)?

Defining the needs/proble m
Evaluate the plan Gather relevant information

Assign resources

Implement the plan

Asses /enumerate the risks

Develop strategy

Analyze the risk

Set audit scope and objectives

Identify and review controls

Risk
Is the potential that a given threat will exploit

the vulnerabilities of an asset/s to cause loss or damage to the asset/s.

Risk Assessment
Identifying business risks relevant to financial

reporting objectives; Estimating the significance of the risks; Assessing the likelihood of their occurrence; and Deciding about actions to address those risks.
-PSA 315.15

Internal control in a CIS Environment

General CIS Control Application Control

General CIS Control

Organization and management controls Development and maintenance controls Delivery and support controls Monitoring controls

Organization and management controls

Strategic information technology plan. CIS policies and procedures. Clearly defined roles and responsibilities. Segregation of incompatible functions Monitoring of IS activities performed by third

party consultants.

Development and maintenance controls

Project initiation, requirements definition, systems

design, testing, data conversion, go-live decision, migration to production environment, documentation of new or revised systems, and user training. Acquisition and implementation of off-the-shelf packages. Request for changes to the existing systems. Acquisition, implementation, and maintenance of system software .

Delivery and support controls

Establishment of service level agreements against

which CIS services are measured. Performance and capacity management controls. Event and problem management controls. Disaster recovery/contingency planning, training, and file backup. Computer operations controls. Systems security. Physical and environment controls.

Monitoring controls
Monitoring of key CIS performance indicators. Internal and external CIS audits.

Application Control
Controls over input Controls over processing and computer data

files Controls over output

Controls over input

Transactions are properly validated and authorized

before being processed by the computer. Transactions are accurately converted into machine readable form and recorded in the computer data files. Transactions are not lost, added, duplicated or improperly changed. Incorrect transactions are rejected, corrected and, if necessary, resubmitted on a timely basis.

Controls over processing and computer data files

Transactions, including system generated

transactions, are properly processed by the computer. Transactions are not lost, added, excluded, duplicated or improperly changed. Processing errors are identified and corrected on a timely basis.

Controls over output

Results of processing are accurate. Access to output is restricted to authorized

personnel. Output is provided to appropriate authorized personnel on a timely basis.

How do we plan (Audit planning process)?

Defining the needs/proble m
Evaluate the plan Gather relevant information

Assign resources

Implement the plan

Asses /enumerate the risks

Develop strategy

Analyze the risk

Set audit scope and objectives

Identify and review controls

References
PAPS 1008 PSA 315 ISACA